Merge pull request #520 from vardhaman22/v1.2/cis-1.9

[release/v1.2] added cis 1.9 generic and cis 1.9 k3s profiles
rancher · Dec 4, 2024 · 0e484b3 · 0e484b3
2 parents 3b2749f + 6dceea2
commit 0e484b3
Show file tree

Hide file tree

Showing 13 changed files with 59 additions and 20 deletions.
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -12,11 +12,11 @@ annotations:
   catalog.cattle.io/type: cluster-tool
   catalog.cattle.io/ui-component: rancher-cis-benchmark
 apiVersion: v1
-appVersion: v6.4.0
+appVersion: v6.5.0
 description: The cis-operator enables running CIS benchmark security scans on a kubernetes
   cluster
 icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
 keywords:
 - security
 name: rancher-cis-benchmark
-version: 6.4.0
+version: 6.5.0
diff --git a/chart/app-readme.md b/chart/app-readme.md
@@ -18,14 +18,16 @@ This chart installs the following components:
 
 | Source | Kubernetes distribution | scan profile                                                                                                       | Kubernetes versions |
 |--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------|
-| CIS    | any                     | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8)                                | v1.26+              |
-| CIS    | rke                     | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive)  | rke1-v1.26+         |
-| CIS    | rke                     | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened)      | rke1-v1.26+         |
-| CIS    | rke2                    | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+         |
-| CIS    | rke2                    | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened)    | rke2-v1.26+         |
-| CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive)  | k3s-v1.26+          |
-| CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened)      | k3s-v1.26+          |
-| CIS    | eks                     | eks-1.2.0                                                                                                          | eks                 |
-| CIS    | aks                     | aks-1.0                                                                                                            | aks                 |
-| CIS    | gke                     | gke-1.2.0                                                                                                          | gke                 |
-| CIS    | gke                     | gke-1.6.0                                                                                                          | gke-1.29+            |
+| CIS    | any                     | [cis-1.9](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.9)                                                         | v1.27+              |
+| CIS    | any                     | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8)                                                         | v1.26               |
+| CIS    | rke                     | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-permissive)  | rke1-v1.26+         |
+| CIS    | rke                     | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-hardened)                  | rke1-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-hardened)                 | rke2-v1.26+         |
+| CIS    | k3s                     | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.9)                                | k3s-v1.27+          |
+| CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive)  | k3s-v1.26           |
+| CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened)                  | k3s-v1.26           |
+| CIS    | eks                     | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0)                                                       | eks                 |
+| CIS    | aks                     | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0)                                                         | aks                 |
+| CIS    | gke                     | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0)                                                       | gke-1.20            |
+| CIS    | gke                     | [gke-1.6.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.6.0)                                                       | gke-1.29+           |
diff --git a/chart/templates/benchmark-cis-1.8.yaml b/chart/templates/benchmark-cis-1.8.yaml
@@ -6,3 +6,4 @@ metadata:
 spec:
   clusterProvider: ""
   minKubernetesVersion: "1.26.0"
+  maxKubernetesVersion: "1.26.x"
diff --git a/chart/templates/benchmark-cis-1.9.yaml b/chart/templates/benchmark-cis-1.9.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.9
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.27.0"
diff --git a/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml b/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml
@@ -6,3 +6,4 @@ metadata:
 spec:
   clusterProvider: k3s
   minKubernetesVersion: "1.26.0"
+  maxKubernetesVersion: "1.26.x"
diff --git a/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml b/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml
@@ -6,3 +6,4 @@ metadata:
 spec:
   clusterProvider: k3s
   minKubernetesVersion: "1.26.0"
+  maxKubernetesVersion: "1.26.x"
diff --git a/chart/templates/benchmark-k3s-cis-1.9.yaml b/chart/templates/benchmark-k3s-cis-1.9.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.9
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.27.0"
diff --git a/chart/templates/configmap.yaml b/chart/templates/configmap.yaml
@@ -14,5 +14,5 @@ data:
   eks: "eks-profile"
   gke: "gke-profile-1.6.0"
   aks: "aks-profile"
-  k3s: "k3s-cis-1.8-profile-permissive"
-  default: "cis-1.8-profile"
+  k3s: "k3s-cis-1.9-profile"
+  default: "cis-1.9-profile"
diff --git a/chart/templates/scanprofile-cis-1.9.yaml b/chart/templates/scanprofile-cis-1.9.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.9-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.9
diff --git a/chart/templates/scanprofile-k3s-cis-1.9.yaml b/chart/templates/scanprofile-k3s-cis-1.9.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.9-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.9
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -5,10 +5,10 @@
 image:
   cisoperator:
     repository: rancher/cis-operator
-    tag: v1.2.0
+    tag: v1.2.1
   securityScan:
     repository: rancher/security-scan
-    tag: v0.4.0
+    tag: v0.4.1
   sonobuoy:
     repository: rancher/mirrored-sonobuoy-sonobuoy
     tag: v0.57.2
@@ -45,7 +45,7 @@ global:
     clusterName: ""
   kubectl:
     repository: rancher/kubectl
-    tag: v1.29.7
+    tag: v1.29.11
 
 alerts:
   enabled: false

diff --git a/hack/make/deps.mk b/hack/make/deps.mk
@@ -4,6 +4,6 @@ GOLANGCI_VERSION = v1.62.2
 K3D_VERSION = v5.7.5
 
 # TODO: Bump aligned with Rancher Manager release line
-KUBECTL_VERSION = 1.28.12
+KUBECTL_VERSION = 1.29.11
 # renovate: datasource=github-release-attachments depName=helm/helm
 HELM_VERSION = v3.16.3
diff --git a/tests/k3s-bench-test.yaml b/tests/k3s-bench-test.yaml
@@ -4,5 +4,5 @@ metadata:
   name: k3s-e2e-scan
   namespace: cis-operator-system
 spec:
-  scanProfileName: k3s-cis-1.8-profile-permissive
+  scanProfileName: k3s-cis-1.9-profile
   scoreWarning: pass